Unable to renew or create a certificate because of challenge fail

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vpsl.arrastechnology.com

I ran this command: sudo certbot certonly --webroot -w ./static -d vpsl.arrastechnology.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vpsl.arrastechnology.com
Using the webroot path /home/ec2-user/VPSL_BACKEND/featureRepo/newCertificates/static for all unmatched domains.
Waiting for verification…
Challenge failed for domain vpsl.arrastechnology.com
http-01 challenge for vpsl.arrastechnology.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): nodejs - 8.12.0

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

1 Like

How does your Node.js application create a route for the /static directory? Could you share that part of the code?

1 Like

Thanks so much. The code below. The same is working perfectly fine for one domain and not the other domain.

const express = require(‘express’);
const app = express();
app.use(express.static(‘static’));
app.use((req, res, next) => { console.log(‘hello’, req.url); next(); });
app.get(’/health-check’, (req, res) => { res.sendStatus(200)} );
app.get(’/’, (req, res) => { console.log(‘response’); res.sendStatus(200)} );
app.listen(80);

1 Like

Yes, that should work just fine.

Is your AWS LB definitely pointing at the correct server? Is it intentional that you have 2 IP addresses for that domain?

What might help would be to reorganize the order of some of your middleware so the static requests get logged as well:

const express = require('express');
const app = express();
app.use((req, res, next) => { console.log(req.connection.remoteAddress, req.url, req.headers["user-agent"]); next(); });
app.use(express.static('static'));
app.get('/health-check', (req, res) => { res.sendStatus(200)} );
app.get('/', (req, res) => { console.log('response'); res.sendStatus(200)} );
app.listen(80);

and confirm that you see the requests coming in when you run Certbot (with --dry-run).

You should see something like:

::ffff:127.0.0.1 /.well-known/acme-challenge/vyqfa32UC3FzP4sdp8hvchpTf5cBjOBHgsW4FtfIDFI Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
::ffff:127.0.0.1 /.well-known/acme-challenge/vyqfa32UC3FzP4sdp8hvchpTf5cBjOBHgsW4FtfIDFI Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
::ffff:127.0.0.1 /.well-known/acme-challenge/vyqfa32UC3FzP4sdp8hvchpTf5cBjOBHgsW4FtfIDFI Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
::ffff:127.0.0.1 /.well-known/acme-challenge/vyqfa32UC3FzP4sdp8hvchpTf5cBjOBHgsW4FtfIDFI Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)

(but with real IP addresses). There should be 4 requests for every --dry-run. If some are missing, it might mean some are going to the wrong server.

2 Likes

Looks like you are right … Looks like there was some problem with the either the port or the instance. I created a brand new target group and put in the same instance(EC2) instance in a different target group listening on port 80.

I am able to create the certificates now !!

Sincere thanks !!

Output below.

[ec2-user@ip-172-16-1-14 newCertificates]$ sudo certbot certonly --webroot -w ./static -d arrastechnology.com -d vpsl.arrastechnology.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/arrastechnology.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/arrastechnology.com/privkey.pem
    Your cert will expire on 2020-04-08. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

2 Likes

I am going to generate these certificates one more time tomorrow and put them on AWS and make sure everything works !! If I need any help, I will come back on this channel. You saved my day today !! Sincere thanks.

Regards and have a good day !!

Satish

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.